Ghost-hunter/ Docs

Amazon Web Services (AWS)

Cost Explorer + CUR with read-only IAM.

AWS support shipped in v1.0.6. Investigations run against either Cost Explorer (ce:GetCostAndUsage) or a Cost & Usage Report (CUR) export.

Export billing data

Option A — Cost & Usage Report (recommended for paranoid mode).

  1. Billing console → Cost & Usage Reports → Create new report.
  2. Choose hourly granularity, FOCUS-1.0-compatible columns, Parquet or CSV.
  3. Pick an S3 bucket — Ghost-hunter does not need access to it.
  4. Wait 24h, download the latest CSV slice.
ghosthunter investigate --csv cur-2026-04.csv --provider aws

Option B — Cost Explorer (active mode only). Requires ce:GetCostAndUsage on a read-only IAM role.

Active mode

# ~/.ghosthunter/config.toml
[provider.aws]
profile = "ghosthunter-readonly"
region  = "us-east-1"

Minimum IAM policy: ce:GetCostAndUsage, ec2:Describe*, s3:ListAllMyBuckets, rds:Describe*, cloudwatch:GetMetric*. Full policy in the repo at docs/internal/aws-iam-policy.json.

aws sso login --profile ghosthunter-readonly
ghosthunter investigate --active --provider aws

Allowlisted commands

Read-only aws ec2 describe-*, aws s3 ls, aws rds describe-*, aws cloudwatch get-metric-*, aws ce get-*. The validator rejects anything mutating, even with admin credentials.

Previous
Google Cloud (GCP)
Next
Dual-model architecture